Recently a lot of small partners have been discussing the site was black and download the free wordpress theme plugin hanging horse topic, then today V to teach you how to identify the wordpress theme plug is left behind the door. First of all, under the wordpress operating environment, I believe that a little bit of common sense of the owners know that wordpress is a run on the php + mysql system built on top of the system, and wordpress theme plug-ins are written as. Php suffix executable file this Is why wordpress’s free theme plugin is easy to stay behind the door problem. Since it is written by php, then we just know that the general use of PHP backdoor procedures can be a certain degree of awareness of the theme plug-in whether there is a backdoor Trojans, the following small V lists some common php backdoor function:
Execute system commands: system, passthru, shell_exec, exec, popen, proc_open (high risk)
Code execution: eval, assert, preg_replace (‘/ $ pattern / e’) (high risk)
File operations: file_get_contents, file_put_contents, fputs, fwrite (high-risk)
String encryption and decryption compression decompression hidden: base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13, base64_decode, gzcompress, chr (suspicious)
wordpress Create backdoor user: wp_create_user, WP_User, set_role (high risk)
If the subject of small V mark the high-risk code can basically determine this theme is very problematic, and basically are to stay back door or do little tricks. If it is found in this article marked suspicious code that should be noted that the code is likely to encrypt the part of the back door. Many small partners certainly do not understand preg_replace (‘/ $ pattern / e’) What is the meaning of this code, the following small V to explain to you, preg_replace function using e modifier after the implementation of the reverse reference replacement will be replaced Of the code as php code to run, so it is also a very common backdoor code. In the detection of the theme plug contains the back door as long as the text search tool or software search theme plug-in php file contains the above keywords, in the search for preg_replace need to manually compare the code to see whether the inclusion of e modifier, if the subject file (5) .chr (3) .chr (58) This kind of code should be careful, and found that the subject file appears a lot of random characters have to be careful are generally encrypted code is likely to hide The back door.
PS: Because the usual beard finishing the theme and plug-ins are more, it is difficult to check all the documents are submitted side. Up to check the next few key files are hanging horse, so please download the theme as much as possible after their own check again.